aMule Forum
English => Feature requests => Topic started by: Mr Faber on March 05, 2005, 11:35:48 PM
-
I think it would be a security improvement if aMuled and aMule can be bind to special interfaces for external connections (only intern connections, not the P2P ones). So I could bind it to my LAN adress or to localhost and can route it through ssh.
Since webinterface has no SSL and no bruteforce protection like eMule (eMule has no SSL but bruteforce protections) as far as I know a bind would be useful too.
cu
Mr Faber
-
It might be supported in future.
Since webinterface has no SSL
You definitly don't need SSL. Are you afraid that someone feeding you forged pages ?! On your own LAN ?
I think it would be a security improvement
Definitly. And it will be configuration hell, like all security oriented features.
and no bruteforce protection like eMule
Completely useless feature:
You have MD5 checksummed password. Do you have 2^128 of computing power ? Good luck in basic cryptography.
-
Originally posted by lfroen
and no bruteforce protection like eMule
Completely useless feature:
You have MD5 checksummed password. Do you have 2^128 of computing power ? Good luck in basic cryptography.
That isn't correct. If a person uses a bad password (yes it is his fault but DEVs can help a lot) it is easier to bruteforce this. I think it is no problem to use the simple bruteforce protection from eMule that blocks the ip for some seconds or minutes if the password was wrong for five times. No more security needed instead of protection against potential buffer overflows.
I know that SSL isn't needed for LAN but for WAN. It isn't so important. It was just a hint for a useful feature in future.
A optional bind adress at least for external connections would be very usefull I think but you are the dev/expert :).
cu
Mr Faber
-
That isn't correct. If a person uses a bad password (yes it is his fault but DEVs can help a lot) it is easier to bruteforce this.
Known argument. All correct. But in low priority compared to other things. Like binding specific interface, which match more usefull.
I know that SSL isn't needed for LAN but for WAN. It isn't so important. It was just a hint for a useful feature in future.
We are not going even think about it. You want THAT complicated webserver - install Apache (or IIS), write amule module for it, web applications, .NET or whatever your imagination provides.
SSL is no-so-trivial thing to do. Even more complicated is to do it right (it's cryptographic intensive thing). So answer is no.
-
Originally posted by lfroen
I know that SSL isn't needed for LAN but for WAN. It isn't so important. It was just a hint for a useful feature in future.
We are not going even think about it. You want THAT complicated webserver - install Apache (or IIS), write amule module for it, web applications, .NET or whatever your imagination provides.
SSL is no-so-trivial thing to do. Even more complicated is to do it right (it's cryptographic intensive thing). So answer is no.
YOU are not even going to think about it. But I am going to think about it, and discuss it. So the answer it 'maybe'
-
I already thought about it. After 2.0.0.
-
See, see.
-
YOU are not even going to think about it
Correction: I already thought about it. Answer is strong no. Neither I nor you don't have required understanding in cryptography. GonoszTopi - have you ?
Doing it wrong is worst that not doing at all - you give false sence of security.
But I am going to think about it, and discuss it
There's so many things to do with usability of amuleweb. They worth thinking and discussion match more.
I already thought about it. After 2.0.0.
Before you going to write single line of code for this, visit http://www.openssl.org/ - that's what you need. Don't even think about implementing "light weight" version of ssl. Unless you have M.Sc. and made thesis on cryptography.
-
Originally posted by lfroen
YOU are not even going to think about it
Correction: I already thought about it. Answer is strong no. Neither I nor you don't have required understanding in cryptography. GonoszTopi - have you ?
Doing it wrong is worst that not doing at all - you give false sence of security.
But I am going to think about it, and discuss it
There's so many things to do with usability of amuleweb. They worth thinking and discussion match more.
I already thought about it. After 2.0.0.
Before you going to write single line of code for this, visit http://www.openssl.org/ - that's what you need. Don't even think about implementing "light weight" version of ssl. Unless you have M.Sc. and made thesis on cryptography.
Ahem, sorry lfroen, where do you get the idea we have not the required understanding in cryptography? And, while we're at it, who told you that we're not going to use openssl already?
In short, if you don't want to work on this, it's ok for me, but leave your team co-workers work on it if they want to.
-
Ahem, sorry lfroen, where do you get the idea we have not the required understanding in cryptography?
I don't know any of project members who have M.Sc. (at least) with specialization on cryptography. That's what I call "required understanding" if you going to implement SSL yourself. Taking "Introduction to cryptography" (as I did) is simply not enough.
OpenSSL will protect you from making basic mistakes, but you still have to convince at least yourself - what makes you sure that you understand what are you doing.
Using SSL is not just about link to yet another library. You better have theoretical insite.
-
I don't know any of project members who have M.Sc. (at least) with specialization on cryptography. That's what I call "required understanding" if you going to implement SSL yourself. Taking "Introduction to cryptography" (as I did) is simply not enough.
:)
Man, you don't know your co-workers, all of them use nicks, how can you say that? :P
Btw, cryptograophy is no rocket science. Even if it was, rocket science is not beyond our comprehension. We are hackers, remember? ;)
Cheers!
-
Originally posted by phoenix
I don't know any of project members who have M.Sc. (at least) with specialization on cryptography. That's what I call "required understanding" if you going to implement SSL yourself. Taking "Introduction to cryptography" (as I did) is simply not enough.
:)
Man, you don't know your co-workers, all of them use nicks, how can you say that? :P
Btw, cryptograophy is no rocket science. Even if it was, rocket science is not beyond our comprehension. We are hackers, remember? ;)
Cheers!
No, I stopped being a hacker 6 years ago :P
-
how can you say that?
That's why I say "I don't know and unless. So it's quite possible that I completely wrong ;)
Btw, cryptograophy is no rocket science.
What makes you be sure on this one ? :D You studied cryptography or rocket science or may be both :) ?
-
Originally posted by lfroenNeither I nor you don't have required understanding in cryptography.
Sorry, is that a "I don't know" or is me getting old?
Originally posted by lfroen
What makes you be sure on this one ? Big Grin You studied cryptography or rocket science or may be both Smile ?
/me takes a look at the wall
Now, if I could get a digital cam to show the diplomas...
-
Any news for this binding ?